Patent application title: IMPLICIT CERTIFICATE SCHEME

Abstract:

A method of generating a public key in a secure digital communication
system, having at least one trusted entity CA and subscriber entities A.
For each entity A, the trusted entity selects a unique identity
distinguishing the entity A. The trusted entity then generates a public
key reconstruction public data of the entity A by mathematically
combining public values obtained from respective private values of the
trusted entity and the entity A. The unique identity and public key
reconstruction public data of the entity A serve as A's implicit
certificate. The trusted entity combines the implicit certificate
information with a mathematical function to derive an entity information
f and generates a value kA by binding with f with private values of
the trusted entity. The trusted entity transmits the value kA to the
entity to permit A to generate a private key from kA, A's private
value and A's implicit certificate. The entity A's public key information
may be reconstructed from public information, and A's implicit
certificate.

Claims:

1. A method of generating a public key in a secure digital communication
system, having at least one trusted entity CA and subscriber entities A,
said method comprising the steps of:(a) (a) for each entity A, said CA
selecting a unique identity IA distinguishing said entity A;(b)
generating a public key reconstruction public data γA of
entity A by mathematically combining a generator of said trusted party CA
with a private value of said entity A, such that said pair (IA,
γA) serves as A's implicit certificate;(c) combining said
implicit certificate information (IA, γA) in accordance
with a mathematical function F(γA, IA) to derive an
entity information f;(d) generating a private key a of said entity A by
signing said entity information f andtransmitting said private key a to
said entity A, whereby said entity A's public key may be reconstructed
from said public information, said generator γA and said
identity IA relatively efficiently.

2. A method of generating a public key certificates in a digital
communication system, said method comprising the steps of:(a) (a)
generating a public key certificate, according to a public key
cryptographic algorithm;(b) embedding within said public key certificate
a plurality of public key and whereinat least one of said public keys is
an implicitly signed public key; and(c) publishing said certificate.

3. A method for generating a public key certificate of a subscriber entity
A by a trusted entity CA, said method comprising the steps of:a)
selecting a unique identity information IA for said subscriber
entity A;b) generating a private value cA for said subscriber entity
A;c) generating a public value γA for said entity A from said
private value cA;d) using said public value γA and said
identity information IA in a cryptographic function to generate a
value f;e) signing said value f to produce a signature a; andf)
transmitting said signature a, public value γA and said
identity information IA to said subscriber entity.

Description:

[0001]This application is a continuation of U.S. patent application Ser.
No. 10/921,870 filed on Aug. 20, 2004 which is a continuation of U.S.
patent application Ser. No. 09/667,817 filed on Sep. 22, 2000, which is a
continuation of PCT Application No. PCT/CA99/00244 filed on Mar. 23, 1999
which claims priority from Canadian Patent Application No. 2,235,359
filed on Apr. 20, 1998 and Canadian Patent Application No. 2,232,936
filed on Mar. 23, 1998, all of which are hereby incorporated by
reference.

[0003]Diffie-Hellman key agreement provided the first practical solution
to the key distribution problem, in cryptographic systems. The key
agreement protocol allowed two parties never having met in advance or
shared key material to establish a shared secret by exchanging messages
over an open (unsecured) channel. The security rests on the
intractability of the Diffie-Hellman problem and the related problem of
computing discrete logarithms.

[0004]With the advent of the Internet and such like the requirement for
large-scale distribution of public keys and public key certificates are
becoming increasingly important. Public-key certificates are a vehicle by
which public keys may be stored, distributed or forwarded over unsecured
media without danger of undetectable manipulation. The objective is to
make one parties public key available to others such that its
authenticity and validity are verifiable.

[0005]A public-key certificate is a data structure consisting of a data
part and a signature part. The data part contains cleartext data
including as a minimum, public key and a string identifying the party to
be associated therewith. The signature part consists of the digital
signature of a certification authority (CA) over the data part, thereby
binding the entities identity to the specified public key. The CA is a
trusted third party whose signature on the certificate vouches for the
authenticity of the public key bound to the subject entity.

[0006]Identity-based systems (ID-based system) resemble ordinary
public-key systems, involving a private transformation and a public
transformation, but parties do not have explicit public keys as before.
Instead, the public key is effectively replaced by a party's publicly
available identity information (e.g. name or network address). Any
publicly available information, which uniquely identifies the party and
can be undeniably associated with the party, may serve as identity
information.

[0007]An alternate approach to distributing public keys involves
implicitly certified public keys. Here explicit user public keys exist,
but they must be reconstructed rather than transported by public-key
certificates as in certificate based systems. Thus implicitly certified
public keys may be used as an alternative means for distributing public
keys (e.g. Diffie-Hellman keys).

[0008]An example of an implicitly certified public key mechanism is known
as Gunther's implicitly-certified (ID-based) public key method. In this
method: [0009]1. A trusted server T selects an appropriate fixed public
prime p and generator α of Zp*. T selects a random integer t,
with 1≦t≦p-2 and gcd(t, p-1)=1, as its private key, and
publishes its public key u=αt mod p, along with α, p.
[0010]2. T assigns to each party A a unique name or identifying string
IA and a random integer kA with gcd(kA, p-1)=1. T then
computes PA=αKA mod p. PA is A's KEY
reconstruction public data, allowing other parties to compute
(PA)a below. [0011]3. Using a suitable bash function h, T
solves the following equation for a:

[0011]H(IA)≡tPA+kA a(mod p-1) [0012]4. T securely
transmits to A the pair (r,s)=(PA, a), which is T's ElGamal
signature on IA (a is A's private key for Diffie-Hellman
key-agreement) [0013]5. Any other party can then reconstruct A's
Diffie-Hellman public key PAa entirely from publicly available
information (α, IA, u, PA, p) by computing:

[0013]PAa≡αh(IA.sup.)u-PA mod p

[0014]Thus for discrete logarithm problems, signing a certificate needs
one exponentiation operation, but reconstructing the ID-based
implicitly-verifiable public key needs two exponentiations. It is known
that exponentiation in the group Zp* and its analog scalar
multiplication of a point in E(Fq) is computationally intensive. For
example an RSA scheme is extremely slow compared to elliptic curve
systems. However despite the resounding efficiency of EC systems over MSA
type systems this is still a problem particularly for computing devices
having limited computing power such as "smart cards", pagers and such
like.

[0016]In accordance with this invention there is provided a method of
generating an identity-based public key in a secure digital communication
system, having at least one trusted entity CA and subscriber entities A,
the method comprising the steps of: [0017](a) for each entity A, the CA
selecting a unique identity IA distinguishing the entity A;
[0018](b) generating a public key reconstruction public data
γA of entity A by mathematically combining a generator of the
trusted party CA with a private value of the entity A, such that the pair
(IA, γA) serves as A's implicit certificate; [0019](c)
combining the implicit certificate information (IA, γA)
in accordance with a mathematical function F(γA, IA) to
derive an entity information f; [0020](d) generating a private key a of
the entity A by signing the entity information f and [0021]transmitting
the private key a to the entity A, whereby the entity A's public key may
be reconstructed from the public information, the generator γA
and the identity IA relatively efficiently. [0022]In accordance with
a further embodiment of the invention there is provided a public key
certificate comprising a plurality of public keys having different bit
strengths and wherein one of the public keys is an implicitly certified
public key.

BRIEF DESCRIPTION OF THE DRAWINGS

[0023]Embodiments of the present invention will now be described by way of
example only with reference to the accompanying drawings in which;-

[0024]FIG. 1 is a schematic representation of a first system configuration
according to an embodiment of the present invention; and

[0025]FIG. 2 is a schematic representation of a second system
configuration according to an embodiment in the present invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

[0026]Referring to FIG. 1, a system with implicitly-certified public keys
is shown generally by 10. This system 10 includes a trusted third party
CA and at least a pair of first and second correspondents A and B
respectively. The correspondents A and B exchange information over a
communication channel and each includes a cryptographic unit for
performing visual finding/verification and encryption/decryption.

[0027]Referring back to FIG. 1, the trusted party CA selects an
appropriate prime p with p=tq+1 where q is a large prime and a generator
α of order q. The CA selects a random integer c, with
1≦c≦q-1 as its private key, then computes the public key
β=αc mod p and publishes (β,α, p, q).

Scheme 1:

[0028]1. For each party A, the CA choose a unique distinguished name or
identity IA (e.g., name, address, phone number), and a random
integer cA with 1≦cA≦q-1. Then the CA computes
γA=αcA mod p. (γA is the party A's
public key reconstruction public data. The pair (IA, γA)
serves as A's implicit certificate) [0029]2. The CA selects a function
f=F(IA, γA). For example, F(γA,
IA)=γA+h(IA), or F(γA,
IA)=h(γA+IA) where h is a secure hash function and
solves the following equation for a, which is party A's private key. If
a=0, then the CA chooses another cA and re-solves the equation.

[0029]1=cf+cAa(mod q) [0030]3. The CA securely sends the triple
(γA, a, IA) to A, which is CA's signature on IA.
Then [0031]α is A's private key; [0032]γA is A's
generator; and [0033]γAa(=αcAa) is A's public
key. [0034]A publishes (α, IA, β, γA, P, q)
in the public domain. [0035]4. Anyone can obtain party A's (ID-based)
implicitly verifiable public key from the public domain by computing,

γAa=αβ-f(mod p),

thus deriving the public key from the above equation, which requires only
one exponentiation operation.

[0036]Although everyone can reconstruct party A's public key from public
data, this does not mean that the reconstructed public key
γAa has been certified. This scheme is more effective
when it is combined with an application protocol that shows that party A
has complete knowledge of the corresponding private key. For example,
with the MQV key-agreement scheme or with any signature scheme and
particularly with an KCDSA (Korean Certificate based Digital Signature
Algorithm). In general, this implicit certificate scheme can be used with
any scheme, which is required to verify the certificate. This may be
demonstrated by referring to the Digital Signature Algorithm (DSA)
signature scheme.

[0037]Suppose Alice has a private key α, generator γA and
publishes (α, IA, β, γA, p, q) in public
domain. Now Alice wants to sign a message M using DSA.

[0049]The pair (IA, γA) serves as certificate of Alice.
Reconstructing the public key serves as implicit verification when the
application protocol results in a valid verification. Recall that
obtaining the public key needs only one exponentiation operation.

[0050]In an alternate embodiment, the scheme can be generalized to most
ElGamal signature schemes by modifying the signing equation
appropriately. In the following section, we give some examples.

Scheme 2:

[0051]The CA uses the signing equation I=ca+cAf (mod q). The CA
securely sends the triple (γA, a, IA) to A, then a is A's
private key, β is A's generator and βa is A's public key.
A publishes (α, IA, β, γA, p, q) in public
domain. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing

βa=αγA-f(mod p)

For this scheme, each user has the same generator β which is the CA's
public key.

Scheme 3:

[0052]The CA uses the signing equation a=cf+CA (mod q). The CA
securely sends the triple (γA, a, IA) to A, then a is A's
private key, α is A's generator and αa is A's public
key. A publishes (α, IA, β, γA, p, q) in the
public domain. Anyone can obtain A's (ID-based) implicitly certified
public key from the public domain by computing

αa=βfγA(mod p)

For this scheme, each user including the CA has the same generator
α.

Scheme 4:

[0053]The CA uses the signing equation a≡CAf+c (mod q). The CA
securely sends the triple (γA, a, IA) to A, then a is A's
private key, α is A's generator and αa is A's public
key. A publishes (α, IA, β, γA, p, q) in the
public domain. Anyone can obtain A's (ID-based) implicitly certified
public key from the public domain by computing

αa=γfAβ(mod p)

For this scheme, each user including CA has same generator α.

[0054]In the above schemes the user or party A does not have freedom to
choose its own private key. The following schemes as illustrated in FIG.
2 both the CA and the user control the user's private key but only the
user knows its private key.

Scheme 5':

[0055]A first randomly chooses an integer k and computes αk
then sends it to the CA. The CA computes
γA=αkCA mod p, and solves the following
signing equation for kA

1=cf+cAkA(mod q).

[0056]Then the CA computes γA1=αCA mod p
and sends the triple (γA1, kA, IA) to A. A
computes a=kAk-1 (mod q) and
γA=(γA1)k(mod p). Then a is A's private
key, γA is A's generator and γAa public key. A
publishes (α, IA, β, γA, p, q) in the public
domain. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing

γAa=αβ-f(mod p)

Scheme 6:

[0057]1. A randomly chooses an integer k and computes βk, then
sends it to the CA. [0058]2. The CA randomly chooses an integer cA,
computes γA=βkαcA (mod p) and
f=F(γA, IA), solves the signing equation for kA (if
kA=0, then choose another cA)

[0058]1=ckA+cAf(mod q). [0059]Then CA computers
γA1=βcAc-1 (mod p) and sends the
triple (γA1, kA, IA) to A. [0060]Note:
(γA1, kA, IA) can be sent by public channel.
[0061]3. A computes
γA=(γA1)k-1αk (mod p),
f=F(γA, IA), and a=kA-kf (mod q). (if a=0,1, then
goes back to step 1.). Then checks if
βa=αγA-f. Now a is A's private key,
β is A's generator and βa is A's public key. A publishes
(α, IA, β, γA, p, q) in the public domain.
[0062]4. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing

βa=αγA-f(mod p)

Scheme 7:

[0063]A first randomly chooses an integer k and computes αk,
then sends it to the CA. Now CA computes
γA=αkαCA (mod p), solves the signing
equation for kA

kA≡cf+cA(mod q)

[0064]Then the CA computes γA1=(αk)CA (mod
p) and sends the triple (γA1, kA, IA) to A. A
computes γA=(γA1)k-1αk (mod
p). Then a=kA+k (mod q) is A's private key, α is A's generator
and αa is A's public key. A publishes (α, IA,
β, γA, p, q) in public domain. Anyone can obtain A's
ID-based) implicitly certified public key from the public domain by
computing

αaβfγA(mod p)

Scheme 8:

[0065]1. A randomly chooses an integer k and computes αk, then
sends it to the CA. [0066]2. The CA randomly chooses an integer cA,
computes γA=αkαcA (mod p) and
f=F(γA, IA), computes kA (if kA=0, then choose
another cA)

[0066]kA≡cAf+c (mod q). [0067]Then CA computers
γA1=(αk)ca (mod p) and sends the
triple (γA1, kA, IA) to A. [0068]Note:
(γA1, kA, IA) can be sent by public channel.
[0069]3. A computes γA=(γA1)k-1
αk (mod p), f=F(γA, IA), and a=kA+kf (mod
q). (if a=0,1, then goes back to step 1.). Then checks if
αa=γAfβ. Now a is A's private key,
α is A's generator and αa is A's public key. A publishes
(α, IA, β, γA, p, q) in public domain.
[0070]4. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing

αa=γAfβ(mod p)

[0071]In the above schemes 5-8, anyone can get some partial information of
user A's private key α since kA is sent by public channel. To
hide this information and to speed up computation of above schemes, we
introduce DES encryption to get following scheme 9-12 by modifying scheme
5-8. The advantages in scheme 9-12 is that user can compute K easily
since β is fixed.

Next CA computes K=(ak)c(mod p) and kA=DESK(kA),
then sends the triple (γA, kA,IA) to A.

γA

[0074]3. A computes K=βk(mod p), kA=DESk( kA),
and a=kAk-1(mod q). (if a=1, then goes back to step 1). Then
checks if γAa=αβ-1. Now a is A's private
key, γA is A's generator and γAa is A's public
key. A publishes (α, IA, β, γA, p, q) in
public domain. [0075]4. Anyone can obtain A's (ID-based) implicitly
certified public key from the public domain by computing

Next CA computes
K=(βk)cac-1=αkcA(mod p) and
kA=DESK (kA), then sends the triple (γA
kA,IA) to A.Note: (γA kA, IA) can be sent
by public channel. [0078]3. A computes
K=(γA/βk)k=αkcA (mod p),
kA=DESk ( kA), f=F(γA, β, IA) and
computes a=kA-kf (mod q). (if a=o,1, then goes back to step 1), Then
checks if βa=αγA-f. Now a is A's private
key, β is A's generator and βa is A's public key. A
publishes (α, IA, β, γA, p, q) in public
domain. [0079]4. Anyone can obtain A's (ID-based) implicitly certified
public key from the public domain by computing

[0081]kA=cf+cA(mod q). [0082]Next CA computes
K=(αk)c(mod p) and kA=DESK (kA), then
sends the triple (γA, kA, IA) to A. [0083]Note:
(γA, kA, IA) can be sent by public channel.
[0084]3. A computes K=βk(mod p),kA=DESK( kA),
and a=kA+k(mod q)(if a=0,1, then goes back to step 1). Then checks
if αa=βfγA. Now a is A's private key,
α is A's generator and αa is A's public key. A publishes
(α, IA, β, γA, p, q) in public domain.
[0085]4. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing αa=γAf(mod
p)

Scheme 12:

[0085][0086]1. A randomly chooses an integer k and computes
αk, then sends it to CA. [0087]2. CA randomly chooses an
integer CA, computes γA=αkαcA
(mod p) and f=F(γA, β, IA) computes kA (if
kA=0, then choose another CA) kA=CAf+c(mod q) Next CA
computes K=(αk)c(mod p) and kA=DESk(kA),
then sends the triple (γA, kA, IA) to A.Note:
(γA, kA, IA) can be sent by public channel. [0088]3.
A computes K=βk(mod p),kA=DESk(
kA),f=F(γA, β, IA),and a=kA+kf(mod q). (if
a=0, 1, then goes back to step 1). Then checks if
αa=γAfβ. Now a is A's private key,
α is A's generator and αa is A's public key. A publishes
(α, IA, β,γA, p, q). Anyone can obtain A's
(ID-based) implicitly certified public key from the public domain by
computing

αa=γAfβ(mod p)

The advantages for schemes 9-12 are that user A can compute K easily since
β is fixed and that kA is encrypted such that no other people
can know it.Note that for schemes 5-12, adding an option parameter OP to
the function F(γA, β, IA) (i.e., f=F(γA,
β, IA, OP) will make the schemes more useful. For example,
OP=αaE, where aE is user A's private encryption key
and αaE is user A's public encryption key. Following
scheme 15 is a modification of scheme 7. Schemes 5-12 can be modified in
the same way. The schemes 1-4 can also be modified in the same way.

[0090]kA≡cf+cA(mod q). [0091]Next CA computers
K=H((αk)c) and kA=DESK(kA), then sends the
triple (f, kA, IA) to A. [0092]3. A computes
K=H(βk), kA=DESK( kA), and a=kA+k (mod q)
(if a=0,1, then goes back to step 1.) Then computes
γA=αaβ-f (mod p) and checks if
f=F(γA,IA, OP). Now a is A's private key, α is A's
generator and αa is A's public key. A publishes (α,
IA, β, γA, p, q) in public domain. [0093]4. Anyone
can obtain A's ID-based) implicitly certified public key from the public
domain by computing

αa=βfγA(mod p)

Furthermore we can reduce the bandwidth by following scheme 14.

Scheme 14:

[0094]1. A randomly chooses an integer k and computes αk, then
sends it to CA. [0095]2. CA randomly chooses an integer cA, computes
γA=αkαcA (mod p) and set
{circumflex over (γ)}A as the first 80 least significant bits
of γA. Then computes f=F({circumflex over (γ)}A,
IA, OP) and kA(if kA=0, then choose another cA)

[0095]kA≡cf+cA(mod q). [0096]Next CA computers
K=(αk)c (mod p) and kA=DESK(kA), then
sends the triple ({circumflex over (γ)}A, kA, IA) to
A. [0097]Note: ({circumflex over (γ)}A, kA, IA) can
be sent by public channel. [0098]3. A computes K=βk (mod p),
kA=DESK( kA), and a=kA+k (mod q) (if a=0,1, then goes
back to step 1.) Then computes f=F({circumflex over (γ)}A,
β, IA), γA=αaβ-f (mod p) and
checks if the first 80 least significant bits of γA is
{circumflex over (γ)}A. Now a is A's private key, α is
A's generator and αa is A's public key. A publishes (α,
IA, β, γA, p, q) in public domain. [0099]4. Anyone
can obtain A's (ID-based) implicitly certified public key from the public
domain by computing

αa=βfγA (mod p)

The security level of scheme 5.c is not as other schemes we discuss
before. Scheme 5.c only has 80 bit security. But it is OK for practical
application Now. We can extend the first 80 least significant bits to the
half least significant bits of γA.The implicit certificate can
be used to certify some other useful information by including the
information in the option parameter OP. For example
OP=αaE∥OP2, where aE is user A's
another private key and αaE is the corresponding public
key. Following scheme 15 is a modification of scheme 7. Other schemes can
be modified in the same way.

Then CA computes γA1=(αk)cA (mod p)
and sends the triple (γA1, kA, IA) to A.Note:
(γA1, kA, IA) can be sent by public channel.
[0103]4. A computes a=kA+k (mod q). (if a=0,1, then goes back to
step 1) and computes γA=γA1)k-1
αk(mod p). Then checks if
αa=βfγA. Now a is A's private signing
key, α is A's generator and αa is A's public signing
key, aE is A's private encryption key and αaE is A's
public encryption key. A publishes ((α, αaE,
IA, β, γA, p, q) in public domain. [0104]5. Anyone
can obtain A's (ID-based) implicitly certified public key from the public
domain by computing

αa=βfγA(mod p)

Notes. (for scheme 13-15)

[0105]1. The identity If may be chosen either by CA or by entity A
[0106]2. CA should authenticate the entity A. It can be done by the
method described in the note 2 of scheme 11. [0107]3. (f, kA,
IA) or ({circumflex over (γ)}A, kA, IA) or
(γA1, kA, IA) can be sent by public channel.

[0108]In our schemes, (α, γA) is CA's signature on A's D
IA, it was supposed to be known by public. But now, only user A
knows the a. So when we use these schemes, we should make sure that in
application protocol, user A knows his/her own private key. In other
words, the application protocol must guarantee that A uses his/her
private key in the computation.

[0109]The security of the new scheme depends on the signing equations. For
example, in scheme 1, the signing equation is

1=cf+cAa(mod q). (1)

We are going to show that for some choice of the one way function
F(γA, IA), the new scheme 1 is equivalent to DSA.

Let F(γA, IA)=γA h(IA)-1 and replace
sh(IA)-1 by a in above equation we got the equation (1).
Obviously, equation (2) is equivalent to equation (1) if F(γA,
IA)=γA h(IA)-1. That means, if anyone can break
the scheme using the signing equation (1), then he/she can break the
scheme using the signing equation (2) which is DSA scheme.

[0112]Heuristic arguments suggest our new schemes are secure for suitable
choice of F(γA, IA), where F(γA,
IA)=γA h(IA) or F(γA,
IA)=h(γA, IA). Note F(γA, IA) can be
some other format, for example when IA is small, say 20 bits, but q
is more than 180 bits, then we can use F(γA,
IA)=γA+IA. A disadvantage of the new schemes is all
users and CA use the same field size. However this is the way that all
ID-based implicitly certified public key schemes work, for example,
Girault's RSA based Diffie-Hellman public key agreement scheme.

[0113]A further set of schemes may also be described as follows:

[0114]System setup: A trusted party CA selects an appropriate prime p with
p=tq+1 where q is a large prime and a generator α of order q. CA
selects a random integer c, with 1<c<q as its private key, computes
the public key β=αc mod p and publishes (β, α,
p, q). Then CA chooses a special cryptographic function
f=F(γA, IA, OP) (f: {0, 1}*→{1, 2, . . . (q-1)})
such that with this function, the signature scheme which used to produce
implicit certificate is secure, where OP represents some option
parameters that user may concern (such as date, or β the CA's public
key). For example, let h be a secure hash function, f can be one of
following format [0115]1. F(γA, IA,
OP)=γA+β+h(IA) [0116]2. F(γA, IA,
OP)=h(γA∥β∥IA) [0117]3.
F(γA, IA,OP)=γA+β+IA where IA
has some pattern (or when IA is small, say 20 bits, and q is more
than 180 bits) [0118]4. F(γA, IA, OP)=γA+h
(IA) [0119]5. F(γA, IA,
OP)=h(γA∥IA) [0120]6. F(γA, IA,
OP)=γA+IA where A has some pattern (or when IA is
small, say 20 bits, and q is more than 180 bits) [0121]7. It is very easy
to change the parameters a little bit to get a secure signature scheme
from a given secure signature scheme. So F(γA, IA, OP)
can be any other format that guarantee the signature scheme which used to
produce implicit certificate is secure. Note that by suitable choosing
F(γA, IA, OP), Any Elgamal-like signature scheme we know
so far is equivalent to one of the 4 families schemes we proposed in this
paper if it is used as implicit certificate scheme after modification.
But our proposed schemes have the most efficiency.

[0122]Note: the above system setup will be assumed in the following
schemes.

[0123]Scheme 1.a: [0124]1. For each entity A, CA chooses a unique
distinguished name or identity IA (e.g., name, address, phone
number), and a random integer cA with 1<cA<q. Then CA
computes γA=αcA mod p. (γA is A's
public key reconstruction public data. (IA, γA) serves as
A's implicit certificate) [0125]2. CA computes f=F(γA,
IA, OP) and solves the following equation for a (if a=0,1,c,
cA-1c, then chooses another cA and re-solve the equation).

[0125]1=cf+cAa (mod q). [0126]3. CA securely sends the triple
(γA, a, IA) to A, which is CA's signature on IA.
Then a is A's private key, γA is A's generator and
γAa(=αcAc) is A's public key. A
publishes (α, IA, β, γA, p, q) in public
domain, [0127]4. Anyone can obtain A's (ID-based) implicitly verified
public key from the public domain by computing

γAa=αβ-f (mod p)

Note:

[0128]1. In step 1, The identity IA may be chosen by entity A.
[0129]2. In step 2, we exclude a=0,1, since in this case any one can
easily knowing A's private key. Especially when a=0, cA-1c, any
one can compute CA's private key c from 1=cf (mod q). [0130]3. For this
scheme, each user has different system generator γA.

[0131]Scheme 1.b: [0132]1. For each entity A, CA chooses a unique
distinguished name or identity IA (e.g., name, address, phone
number), and a random integer cA with 1<cA<q. Then CA
computes γA=αcA mod p. (γA is A's
public key reconstruction public data. (IA, γA) serves as
A's implicit certificate) [0133]2. CA computes f=F(γA,
IA, OP) and solves the following equation for a (if a=0,1,c, then
chooses another cA and re-solve the equation).

[0133]1≡ca+cAf(mod q). [0134]3. CA securely sends the triple
(γA, a, IA) to A, which is CA's signature on IA.
Then a is A's private key, β is A's generator and βa is
A's public key. A publishes (α, IA, β, γA, p,
q) in public domain. [0135]4. Anyone can obtain A's (ID-based) implicitly
verified public key from the public domain by computing

βa=αγA-f(mod p)

Note:

[0136]1. In step 1, The identity IA may be chosen by entity A.
[0137]2. In step 2, we exclude a=0,1, since in this case any one can
easily knowing A's private key, when a=0, the certificate does not
involve to CA. [0138]3. For this scheme, each user has same system
generator β.

[0139]Scheme 1.c: [0140]1. For each entity A, CA chooses a unique
distinguished name or identity IA (e.g., name, address, phone
number), and a random integer cA with 1<cA<q. Then CA
computes γA=αcA mod p. (γA is A's
public key reconstruction public data. (IA, γA) serves as
A's implicit certificate) [0141]2. CA computes f=F(γA,
IA, OP) and solves the following equation for a (if a=0,1 or c, then
chooses another cA and re-solve the equation).

[0141]a≡cf+cA(mod q). [0142]3. CA securely sends the triple
(γA, a, IA) to A, which is CA's signature on IA.
Then a is A's private key, α is A's generator and ad is A's public
key. A publishes (α, IA, β, γA, p, q) in
public domain. [0143]4. Anyone can obtain A's (ID-based) implicitly
verified public key from the public domain by computing

αa=βfγA(mod p)

Note:

[0144]1. In step 1, The identity IA may be chosen by entity A.
[0145]2. In step 2, we exclude a=0,1, since in this case any one can
easily knowing A's private key. [0146]3. For this scheme, each user has
same system generator α.

[0147]Scheme 1.d: [0148]1. For each entity A, CA chooses a unique
distinguished name or identity IA (e.g., name, address, phone
number), and a random integer cA with 1<cA<q. Then CA
computes γA=αcA mod p. (γA is A's
public key reconstruction public data. (IA, γA) serves as
A's implicit certificate) [0149]2. CA computes f=F(γA,IA,
OP) and solves the following equation for a (if a=0,1 or c, then chooses
another cA and re-solve the equation).

[0149]a≡cAf+c (mod q). [0150]3. CA securely sends the triple
(γA, a, IA) to A, which is CA's signature on IA.
Then a is A's private key, α is A's generator and αa is
A's public key. A publishes (α, IA, β, γA, p,
q) in public domain. [0151]4. Anyone can obtain A's (ID-based) implicitly
verified public key from the public domain by computing

αa=γAfβ(mod p)

Note:

[0152]1. In step 1, The identity IA may be chosen by entity A.
[0153]2. In step 2, we exclude a=0,1, since in this case any one can
easily knowing A's private key. [0154]3. For this scheme, each user has
same system generator a.Although everyone can reconstruct user A's public
key from public data, this does not mean that the reconstructed public
key has been certified. To explicitly verify the certificate, we need to
know the a. Once we know the a, the verification process become to verify
CA's signature on IA. For example, In scheme 1.a, if verifier
computes αβ-f and user A computes γAa
using a, then they can verify the certificate together. But verifier must
make sure that user A indeed knows a. So reconstructing public key serves
as an implicit verification only if it combines with an application
protocol that shows user A has a complete knowledge of the corresponding
private key. In general, the implicit certificate scheme can be used with
any public key scheme which needs to authenticate the subject entity and
the public key.Let's demonstrate it by using DSA signature scheme as
implicit certified public key system and scheme 1.a as implicit
certificate scheme.Suppose Alice has private key a, generator
γA and publishes (α, IA, β, γA, p,
q) in public domain. Now Alice wants to sip a message M using DSA.Alice
does following: [0155]1. randomly chooses k, computes
r=γAx (mod p). [0156]2. computes e=sha-1(M). [0157]3.
computes s=x-1(e+ar) (mod q) [0158]4. The signature on M is
(r,s).Verifier does following [0159]1. gets Alice's public data (α,
IA, β, γA, p, q) and computes f and reconstructs the
public key

[0164]The pair (IA, γA) serves as certificate of Alice.
For DSA, we know that it is very hard to forge Alice's signature without
knowing a. Then reconstructing the public key serves as implicitly
verification when the application protocol ends up with valid. Recall
that obtaining the public key needs only one exponentiation operation.
For this reason, we say that verifying the implicit certificate needs one
exponentiation operation.

[0165]The following implicit certificate schemes may be derived by
modifying the schemes above such that CA and entity both control the
entity's private key but only the subject entity knows his/her private
key.

In this section we need another system parameter H(*), where H(*) is an
cryptographic function which may be a secure hash function or one way
function or identity map.

[0183]kA=cAf+c (mod q). [0184]Then CA computers
γA1=(αk)cA (mod p) and sends the
triple (γA1, kA, IA) to A. [0185]3. A
computes γA=(γA1)k-1 αk
(mod p), f=F(γA, IA, OP), and a=kA+kf (mod q). (if
a=0,1, then goes back to step 1.). Then checks if
αa=γAfβ. Now a is A's private key,
α is A's generator and αa is A's public key. A publishes
(α, IA,β, γA, p, q) in public domain. [0186]4.
Anyone can obtain A's (ID-based) implicitly certified public key from the
public domain by computing

αa=γAfβ(mod p)

Notes: (for scheme 2.a, 2.b, 2.c, 2.d)

[0187]1. The identity IA may be chosen either by CA or by entity A
[0188]2. CA should authenticate the entity A. It can be done either by
presence in front of CA or by secure channel or by voice (for example, on
the phone) or by following method: In step 2, instead of sending the
triple (γA1, kA, IA) to A, CA first sends
γA1 to A. A computes γA, set
K=H(γA), encrypts the authentication information AA1 of A
(such as VISA information) by DES (or other symmetric key system) and
sends DESK(AA1) to CA. CA decrypts the DESK(AA1) to
get AA1. After checks the validity of AA1, CA then sends
(kA, IA) to A. [0189]3. (γA1, kA, IA)
can be sent by public channel.In above scheme 2.a-2.d, The implicit
certificate schemes are finished by the subject entity and the CA. Each
scheme is essentially divided into two part: key-exchange part and
signature part. One function of the key exchange part is to transmit
implicit certificate information from CA to A by public channel (more
discuss will be given in section 6). To speed up computation of above
schemes, we can modify the key exchange part. Following scheme 3.a-3.d by
modifying scheme 2.a-2.d. The advantages in scheme 3.a-3.d is that user A
can compute K before he get respond from the CA since β is fixed.
This property is good especially for the online case.

[0191]1=cf+cAkA(mod q). [0192]Next CA computers
K=H((αk)c) and kA=DESK(kA), then sends the
triple (γA, kA, IA) to A. [0193]3. A computes
K=H(βk), kA=DESK( kA), and a=kAk-1
(mod q). (if a=1, then goes back to step 1.) Then checks if
γAa=αβ-f. Now a is A's private key,
γA is A's generator and γAa is A's public key.
A publishes (α, IA, β, γA, p, q) in public
domain. [0194]4. Anyone can obtain A's (ID-based) implicitly certified
public key from the public domain by computing

[0196]1=ckA+cAf (mod q). [0197]Next CA computers
K=H((βk)cAc-1)=H(αkcA) and
kA=DESK(kA), then sends the triple (γA,
kA, IA) to A. [0198]3. A computes
K=H((γA/βk)k)=H(αkcA),
kA=DESK( kA), f=F(γA, IA, OP) and computes
a=kA-kf (mod q). (if a=0,1, then goes back to step 1.). Then checks
if βa=αγA-f. Now a is A's private key,
β is A's generator and βa is A's public key. A publishes
(α, IA, β, γA, p, q) in public domain.
[0199]4. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing

βa=αγA-f (mod p)

Note: (for scheme 3.b)

[0200]1. The identity IA may be chosen either by CA or by entity A
[0201]2. CA should authenticate the entity A. It can be done either by
presence in front of CA or by secure channel or by voice (for example, on
the phone) or by following method: In step 2, instead of sending the
triple (γA, kA, IA) to A, CA first sends
γA to A. A computes
K=H((γA/βk)k)=H(αkcA), encrypts
the authentication information AA1 of A (such as VISA information)
by DES (or other synmnetric key system) and sends DESK(AA1) to
CA. CA decrypts the DESK(AA1) to get AA1. After checks the
validity of AA1, CA then sends ( kA, IA) to A. [0202]3.
(γA, kA, IA) can be sent by public channel.

[0204]kA≡cf+cA(mod q). [0205]Next CA computers
K=H((αk)c) and kA=DESK(kA), then sends the
triple (γA, kA, IA) to A. [0206]3. A computes
K=H(βk), kA=DESK( kA), and a=kA+k (mod q)
(if a=0,1, then goes back to step 1.) Then checks if
αa=βfγA. Now a is A's private key,
α is A's generator and αa is A's public key. A publishes
(α, IA, β, γA, p, q) in public domain.
[0207]4. Anyone can obtain A's (ID-based) implicitly certified public key
from the public domain by computing

[0209]kA≡cAf+c(mod q). [0210]Next CA computers
K=H((αk)c) and kA=DESK(kA), then sends the
triple (γA, kA, IA) to A. [0211]3. A computes
K=H(βk), kA=DESK( kA)f=F(γA, IA,
OP), and a=kA+kf (mod q). (if a=0,1, then goes back to step 1.).
Then checks if αa=γAfβ. Now a is A's
private key, α is A's generator and αa is A's public
key. A publishes (α, IA, β, γA, p, q) in
public domain. [0212]4. Anyone can obtain A's (ID-based) implicitly
certified public key from the public domain by computing

αa=γAfβ(mod p)

Notes: (for scheme 3.a, 3.e, 2.d)

[0213]1. The identity IA may be chosen either by CA or by entity A
[0214]2. CA should authenticate the entity A. It can be done either by
presence in front of CA or by secure channel or by voice (for example, on
the phone) or by following method: In step 1, A compute αk and
K=H(βk), then sends αk and DESK(AA1) to
CA. CA computes K=H((αk)c) and decrypts the
DESK(AA1) to get AA1. After check the validity of
AA1, CA continues step 2. [0215]3. (γA, kA, IA)
can be sent by public channel.The advantages for scheme 3.a, 3.c and 3.d
are that user A can compute K easily since β is fixed and that
kA is encrypted such that no other people can know it. In fact the
publicity of kA does not decrease the security of the certificate
scheme. The purpose of encrypting kA is to make sure that the entity
knows k. So for scheme 3.a-3.d, the DES encryption part can be removed
and kA can be replaced by kA provided the certificate scheme
uses the method described in Note 2.To save transmission bandwidth in
above schemes, we can modify above schemes by sending f=F(γA,
IA, OP) in stead of γA (Note that in general, the size of
γA is large than 160 bits and f is just 160 bits.) Following
scheme 4.c is a modification of scheme 3.c.

[0217]kA≡cf+cA(mod q). [0218]Next CA computers
K=H((αk)c) and kADESK(kA), then sends the
triple (f, kA, IA) to A. [0219]3. A computes
K=H(βk), kA=DESK( kA), and a=kA+k (mod q)
(if a=0,1, then goes back to step 1.) Then computes
γA=αaβ-f (mod p) and checks if
f=F(γA, IA, OP). Now a is A's private key, α is A's
generator and αa is A's public key. A publishes (α,
IA, β, γA, p, q) in public domain. [0220]4. Anyone
can obtain A's (ID-based) implicitly certified public key from the public
domain by computing

αa=βfγA(mod p)

Furthermore we can reduce the bandwidth by following scheme 5.c.

Scheme 5.c:

[0221]1. A randomly chooses an integer k and computes αk, then
sends it to CA. [0222]2. CA randomly chooses an integer cA, computes
γA=αkαcA (mod p) and set
{circumflex over (γ)}A as the first 80 least significant bits
of γA. Then computes f=F({circumflex over (γ)}A,
IA, OP) and kA (if kA=0, then choose another cA)

[0222]kA≡cf+cA(mod q). [0223]Next CA computers
K=(αk)c (mod p) and kA=DESK(kA), then
sends the triple ({circumflex over (γ)}A, kA, IA) to
A. [0224]Note: ({circumflex over (γ)}A, kA, IA) can
be sent by public channel. [0225]3. A computes K=βk (mod p),
kA=DESK( kA), and a=kA+k (mod q) (if a=0,1, then goes
back to step 1.) Then computes f=F({circumflex over (γ)}A,
β, IA), γA=αaβ-f (mod p) and
checks if the first 80 least significant bits of γA is
{circumflex over (γ)}A. Now a is A's private key, α is
A's generator and αa is A's public key. A publishes (α,
IA, β, γA, p, q) in public domain. [0226]4. Anyone
can obtain A's (ID-based) implicitly certified public key from the public
domain by computing

αa=βfγA(mod p)

The security level of scheme 5.c is not as other schemes we discuss
before. Scheme 5.c only has 80 bit security. But it is OK for practical
application Now. We can extend the first 80 least significant bits to the
half least significant bits of γA.The implicit certificate can
be used to certify some other useful information by including the
information in the option parameter OP. For example
OP=αaE∥OP2, where aE is user A's
another private key and αaE is the corresponding public
key. Following scheme 6.c is a modification of scheme 2.c. Other schemes
can be modified in the same way.

[0229]kA=cf+cA(mod q). [0230]Then CA computers
γA1=(αk)cA (mod p) and sends the
triple (γA1, kA, IA) to A. [0231]4. A
computes a=kA+k (mod q). (if a=0,1, then goes back to step 1.) and
computes γA=(γA1)k-1αk
(mod p). Then checks if αa=βfγA. Now a is
A's private signing key, α is A's generator and αa is
A's public signing key. aE is A's private encryption key and
αaE is A's public encryption key. A publishes (α,
αaE, IA, β, γA, p, q) in public
domain. [0232]5. Anyone can obtain A's (ID-based) implicitly certified
public key from the public domain by computing
αa=βfγA(mod p)Notes: (for scheme 4.c,
5.c, 6.c) [0233]1. The identity IA may be chosen either by CA or by
entity A [0234]2. CA should authenticate the entity A. It can be done by
the method described in the note 2 of scheme 3.c. [0235](f, kA,
IA) or ({circumflex over (γ)}A, kA, IA) or
(γA1, kA, IA) can be sent by public channel.

CA Chaining Scheme

[0236]In order to implement a CA chaining structure That is CA1
authenticates CA2, CA2 authenticates CA3 and CA3 authenticates user A. In
this section, we are going to present the example with 3 CA's in the CA
chain. We use basic scheme 3' to demonstrate this example.

[0237]System Setup:

[0238]The highest trusted party CA1 selects an appropriate prime p with
p=tq+1 where q is a large prime and a generator α of order q. CA1
selects a random integer c1, with 1≦c1≦q-1 as its
private key, then computes the public key
β1=αc1 mod p and publishes (β1,
α, p, q).

[0239]Phase 1. CA2 Applies for Implicit Certified Public Key from CA1.
[0240]1. CA2 randomly chooses an integer k2 and computes
αk2, then sends it to CA1. [0241]2. CA1 choose a unique
distinguished name or identity ICA2 and a random integer CCA2
with 1≦cCA2≦q-1. Then CA1 computes
γCA2=αk2αcCA2 (mod p).
(γCA2 is CA2's public key reconstruction public data.)
[0242]3. CA1 chooses a function f1=F(γCA2, ICA2) and
computes kCA2 (if kCA2=0, then chooses another cCA2 in
step 2 and re-computes for kCA2).

[0278]The following describes a scheme that allows multiple CA's to sign
ONE implicit certificate. This is illustrated by the case where three
CA's co-sign a certificate using the basic scheme 3'.

[0279]System Setup:

[0280]Let CA1, CA2 and CA3 have a common system parameters: (1) prime p
with p=tq+1 where q is a large prime; (2) a generator α of order q;
(3) a careful chosen function f=F(γ,(IA1+IA2+IA3)).
CA1 selects a random integer c1, with 1≦c1≦q-1 as
its private key, then computes the public key
β1=αc1 mod p and publishes (β1,
α, p, q), CA2 selects a random integer c2, with
1≦c2≦q-1 as its private key, then computes the public
key β2=αc2 mod p and publishes (β2,
α, p, q). CA3 selects a random integer c3, with
1≦c3≦q-1 as its private key, then computes the public
key β3=αc3 mod p and publishes (β3,
α, p, q). [0281]Step 1. A randomly chooses an integer k and
computes αk, then sends it to CA1, CA2 and CA3. [0282]Step 2.
CA's exchange information and compute implicit certificates

[0283]Phase 1. [0284]1. CA1 chooses a unique distinguished name or
identity IA1 and a random integer cA1 with
1≦cA1≦q-1, computes αcA1 and send
(αCA1, IA1) to CA2, and CA3. [0285]2. CA2 choose a
unique distinguished name or identity IA2 and a random integer
cA2 with 1≦cA2≦q-1, computes
(αcA2, IA2) and send αcA2 to CA1 and
CA3. [0286]3. CA3 choose a unique distinguished nacre or identity
IA3 and a random integer cA3 with 1≦cA3≦q-1,
computes (αcA3, IA3) and send αcA3
to CA1 and CA2.

[0300]The following examples are illustrated with respect to scheme 3 (or
Scheme 7') as CA's signing equation since everyone shares the same
generator in this scheme. Each user can have a different CA as long as
the CAs use the system parameters (p,q,d) and each user has the same
generation.

Setup:

[0301]CA1: system parameters (α,β1,p,q,d)

[0302]Alice has a private key a, generator α and publishes (α,
IA, β, γA, p, q) in the public domain.

CA2: system parameters (α,β2,p,q)

[0303]Bob has a private key b, a generator α and publishes (α,
IA, β, γA, p, q) in the public domain.

We use the MTI/C0 key agreement protocol to demonstrate how to use our new
scheme. Assume Alice and Bob want to perform a key exchange.The MTI/C0
protocol [0304]1. Alice reconstructs Bob's public key
αb=βF(γB.sup.,IB.sup.)γB,
and randomly chooses an integer x and computes (αb)x,
then sends it to Bob. [0305]2. Bob reconstructs Alice's public key
αa=βF(γA.sup.,IA.sup.)γA,
and randomly chooses an integer y and computes (αa)y,
then sends it to Alice. [0306]3. Alice computes the shared key
KA=(αay)xa-1=αxy[0307]4. Bob
computes the shared key
KB=(αbx)yb-1=αxy

[0308]This is a two-pass protocol. With the implicit certificate scheme of
the present invention, each party only does three exponentiation
operations to get the shared key while at the same time performing an
authentication key agreement and implicit public key verification.

[0309]The following are examples of signcryption schemes. We use scheme 3
(or scheme 7) as CA's signing equation since everyone shares the same
generator in this scheme. For the scheme thereafter, we use scheme 13 as
CA's signing equation. For all schemes in this section, each user can
have a different CA as long as the CA's use the same system parameters
(p,q,α) and each user has the same generator.

[0311]Assume Bob wants to send a signed and encrypted message M to
Alice:Bob does following:1. reconstructs Alice's public key
αa=βF(γA.sup.,IA.sup.)γA
mod p2. randomly chooses an integer x and computes a key
r=(αa)x (mod p)3. computes C=DESr(M)4. computes
e=hash(C IA)5. computes s=be+x(mod q)6. sends the pair (C,s) to
Alice, thus C is the encrypted message and s is the signature.To recover
the message Alice does following:1. computes e=hash(C IA)2.
reconstructs Bob's public key
αb=βF(γa.sup.,Ia.sup.)γB
mod p3. computes αas(αb)-ac (mod p) which is
r4. decrypts the message M=DESr(C)5. check for redundancyThus, Bob
only does two exponentiation operations and Alice does three
exponentiation operations. But Alice and Bob are both confident of each
others authentication. Note that for this scheme, the message M must have
some redundancy or pattern.

[0322][0323]1. If the certificate scheme is not the implicit
certificate as described herein, Alice and Bob's public key should be
verified. [0324]2. The message M must have some redundancy or pattern.
[0325]3. Anyone who knows one value r can decrypt any messages from Bob
to Alice since the value αab will be exposed. [0326]4. In
general, we should include an option parameter to the hash e, i.e. e=hash
(C∥αa∥OP). For example, OP=αb or
OP=αb∥β1∥β2.The
signcryption schemes above have a drawback that if the signer lost
his/her private signing key, then all message the signer signcrypted will
be exposed to public. To protect post encryption we propose a new
signcryption scheme. In new scheme, each user has two pairs of key, one
pair is for signature key, another pair is encryption key. The new scheme
can be used with any certificate scheme. But if it is used with our
implicit certificate scheme, it is more efficient.

[0338][0339]1. we can think the receiver Alice's private key is
a+aE, This means the receiver only needs one private key instead of
two private keys. But the sender Bob needs two private keys. In case of
normal certificate, the receiver only need one private key. [0340]2. If
the certificate scheme is not the implicit certificate described in this
application, Alice and Bob's public key should be verified. [0341]3. The
message M must have some redundant or pattern. [0342]4. The parameter OP
inside hash
e=hash(C∥αa∥αaE∥.al-
pha.b∥αbE∥OP) may be empty or
OP=β1∥β2. [0343]5. Knowing one r value does
not reveal any information of the post messages. [0344]6. With implicit
certificate scheme, Bob only does 2 exponentiation operations and Alice
does 4 exponentiation operations. But Alice and Bob both are confidential
that each other is authentication part. [0345]7. If anyone knows Alice's
private key a+aE or Bob lost both private keys, the post encrypted
message can not be protected.For normal signatures, one problem is that
the signer denies he/she signs the signature. This called repudiation.
Protocol 1 and 2 above have a non-repudiation feature provided one rusts
the judge. That is the signer can not deny that he/she signed the
signcrypted message. Protocol 3 has a non-repudiation feature even when
the judge is not trusted. Next protocol demonstrates how ajudge decides a
case where Bob wants to deny the signature.Non-repudiation protocol:
[0346]1. Alice sends (C,s) to Judge [0347]2. Judge computes
e=hash(C∥αa∥αaE∥.al-
pha.b∥αbE∥OP) and
αx=αs(αb)-e α-bE
(Note: Alice and Bob's two pairs of public key should be verified. In the
case of implicit certificate scheme, the public keys should be computed
from the reconstruction public data.) [0348]3. Judge randomly chooses two
integer r1 and r2 and computes
L=(αx)r1αr2 and sends L to Alice
[0349]4. Alice computes La+aE and sends it back to Judge
[0350]5. Judge computes
r=(L.sup.(a+aE.sup.)(αaαaE)-r2)-
r1-1 and recover the message by M=DESr(C) [0351]6. If
M has proper format, the (C,s) must be signcrypted by Bob. [0352]7. After
the judge make decision, he sends the values (αr, r1,
r2, L, La+aE, r)) to Alice and Bob to back up his
decision.For the other two signcryption protocols the non-repudiation
protocols are similar provided one fully trust the judge.

[0353]In conclusion it may be seen that the present scheme, when combined
with an application protocol for which the user's private key must be
used directly in computation, provides an implicitly certified ID-based
public key of the user. These schemes can also be used for a Key
Authentication Center (KAC) to distribute implicitly certified public
keys to users.

[0354]A further application of implicitly certified public keys is that
the bit strength of the certifying authority is the same as the user or
entity public keys being certified. By bit strength it is implied the
relative key sizes and processing power of the entities concerned.

[0355]One approach to addressing this issue is to embed implicitly
certified public keys into more traditional certificate structures such
as specified in X.509 certificates, where the signature on the
certificate is at a higher bit strength than the implicitly certified
public key. Hence, the CA has certified the user public key at two
different security levels. Any other entity retrieving a public key can
decide on which security level they wish to accept. In some applications
it may be that only the lower level provided by the implicit value is
necessary to provide the performance required.

[0356]While the invention has been described in connection with specific
embodiments thereof and in specific uses, various modifications thereof
will occur to those skilled in the art without departing from the spirit
of the invention as set fort in the appended claims. For example in the
above description of preferred embodiments, use is made of multiplicative
notation, however the method of the subject invention may be equally well
described utilizing additive notation It is well known for example that
elliptic curve algorithm embodied in the ECDSA is equivalent of the DSA
and that the elliptic curve analog of a discrete log logarithm algorithm
that is usually described in a setting of, Fp* the multiplicative
group of the integers modulo a prime. There is a correspondence between
the elements and operations of the group Fp* and the elliptic curve
group E(Fq). Furthermore, this signature technique is equally well
applicable to functions performed in a field defined over Fp and
F2H. It is also to be noted that the DSA signature scheme
described above is a specific instance of the ElGamal generalized
signature scheme which is known in the art and thus the present
techniques are applicable thereto.